Security is an important problem for any compute platform having data that resides in storage. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system (OS) functionality or other applications. Rootkit drivers modify the data that is made available to all applications and the OS. Malware threats are growing at an exponential rate. Malware (e.g., low level malware like rootkits) is getting stealthier and is attacking the host (personal computer) system stack far below the protection provided by anti-virus/anti-malware (AV/AM) approaches. Once low level malware has infected the system, a state of the system as seen by AV/AM approach is in control of the malware.
The AV/AM approaches provided by independent software vendor (ISV) applications have no mechanism to detect if the data that the ISV application is operating on is the actual data on storage. The data could be modified by a driver stack between storage and the application. This is called a lack of trusted reads. Also, the ISV applications have no mechanism to detect if the data it is writing to the storage has been committed to storage. The data could be modified, redirected or “swallowed” by the driver stack between storage and the application. This is called a lack of trusted writes. There is typically no secure storage available to AV/AM approaches.